Change passphrase is broken: Bad current passphrase

[cottsak]

I've just tried this twice now and logged out/in to verify I'm not crazy-

The https://keybase.io/account/email_and_passphrase page is not letting me change my passphrase. It's claiming Bad current passphrase:

FTR: I entered my current passphrase correctly.

[maxtaco]

i can take a look, what's your username?

[maxtaco]

I inferred it. Everything looks fine from the server side. Unfortunately, I can't do any further testing without knowing your passphrase, which I really don't want to know. It works OK for me and haven't seen any complaints in a while.

Are there any JS console warnings?

[cottsak]

I get

Uncaught ReferenceError: elt is not defined
    at shouldOfferGenerate (onloadwff.js:1015)
    at setup_input_icon (onloadwff.js:943)
    at create_icons_generic (onloadwff.js:1133)
    at doc_create_clickable_icons (onloadwff.js:768)
    at onloadwff.js:756

as soon as I load https://keybase.io/account/email_and_passphrase

[maxtaco]

Can't repro that. I wonder are you running any interesting extensions or passphrase managers?

[cottsak]

Looks like Error In Update: Bad current passphrase is failing in the page, before any requests are taking place: scrypt hash cycle?

[maxtaco]

Ah, can I blame this on LastPass (did a quick google)?

[cottsak]

@maxtaco Yes I am. LastPass Chrome extension.

[maxtaco]

I'd try in a different browser, or with extensions disabled.

Update passphrase is, for better or worse, doing a ton of client-side crypto.

[cottsak]

Failed in incognito window (extensions disabled). That's weird.

[maxtaco]

Did the console also show JS errors?

[cottsak]

Not when trying to change the passphrase. Only when GET/load the page initially.

[cottsak]

Just upgraded to Chrome 56.0.2924.87 (64-bit) and I'm on OS X 10.11.6 - still have the problem with and without incognito mode.

Also, No luck with all extensions disabled.

[maxtaco]

what network calls are made, and what statuses do they return?

[maxtaco]

I'm running out of ideas here BTW. I can probably make some debugging progress if you want to send me your existing password (encrypted via https://keybase.io/max), but otherwise, I can't do too much more...

[cottsak]

There is a GET request made to https://keybase.io/_/api/1.0/me.json?make_login_session=1 just as I click the Save button but it returns 200 well before the client-side message Bad current passphrase so perhaps they're unrelated?

[cottsak]

Also: upgraded to Safari 10.0.3 and problem persists. So I'm suspecting it's not browser/extension related.

Check this out, same problem?

[maxtaco]

Wait, it's not just the update passphrase form, it's everywhere?

[cottsak]

It's not https://github.com/keybase/keybase-issues/issues/2012 is it?

[maxtaco]

Definitely not. It just looks to me like you have the wrong password.....

[cottsak]

I don't know about "everywhere". I'm just telling you what I see.

Is it possible it's just my account/keys?

[maxtaco]

Can you logout/login?

[cottsak]

Yep - all works fine. I've even tested the login form with bad passwords prior to the correct one just to make sure I'm not going insane. I've done this like 20 times in the last 30 mins. Login works fine. I'm typing my password/phrase correctly.

Just doesn't work for [my account?] https://keybase.io/account/email_and_passphrase and the "Prove your HN identity" form.

[cottsak]

I'm very tempted to reset all my keys with the "Forgot Your Password?" feature via email however then if there is an issue and that fixes it, it will disappear and you won't be able to debug it anymore I suspect.

[maxtaco]

i think what's happening here is that your private key can't be decrypted properly.

[maxtaco]

I don't know why that would be.... But before resetting your account, you can just delete your public/private key and start with a new key, though you'll need to reprove twitter and github.

[cottsak]

@maxtaco you're not going to believe this! I think this issue is transient!

I just logged out again and tried to log in (which has worked reliably for the last ~20 attempts) and I got a failure (BAD_PASSWORD). I tried again and then I'm back in!

[cottsak]

I'm even copying and pasting my password now in just to be 100% sure.

[cottsak]

The key reset form worked, which is interesting because it seemed to do the same client-side hash/decrypt and was successful when the others were not.

[cottsak]

Fixed using the "Identity Reset" (reset keys) form. This is a shame.

There remains an issue.

Are you @maxtaco absolutely sure it's not https://github.com/keybase/keybase-issues/issues/2012 or something related to different public key types or key sizes? Check out this diff https://gist.github.com/cottsak/7b07a681fc41677d3d69/revisions anything to do with the GPGTools vs Keybase OpenPGP v2.0.62?

[cottsak]

Also, why did the email I received when resetting my keys say "first"?

Was there some major internal implementation change related to keys since my original sign up and public key pair which makes your system think that my new keys I added today were somehow my first ones ever?

[malgorithms]

ah no, this is just bad wording/logic in an email template. I'll try to get to this soon. your reset your account, and it was your first key after the reset - the email template logic looks at your total number of active keys and sees it's 1 after that addition.

[GaretJax]

I'm running into the same issue. Logging in/out works (on the web), but changing passphrase and logging in over the CLI fails.